Re: Trying to get passthrough auth working with OpenLDAP and Kerberos

[Dan White <dwhite@olp.net>]

On 01/25/12 12:14 -0800, Chastity Blackwell wrote:
> I've made a lot of progress, but I've run into a wall. Kerberos and LDAP
> are working in my testbed, and I can kinit and do an ldapwhoami no
> problem. testsaslauthd also gives me a success when I run it. However,

What does your testsaslauthd command look like? Are you passing a '-u
user@example.com', or a '-r example.com', or both?

What is your default kerberos realm (/etc/krb5.conf), if any, on the box
running slapd and saslauthd?

On 01/26/12 13:53 -0800, Chastity Blackwell wrote:
> On Thu, 2012-01-26 at 15:23 -0500, Dan White wrote:
> > That indicates a mistake in your /etc/sasl2/slapd.conf, which should have:
> >
> > saslauthd_path: /var/run/saslauthd/mux
> >
> > not /var/run/sasl2/mux
>
> Well, now I just feel like an idiot. :) That did move things along a
> bit, though now I'm getting this error:
>
> 2012-01-26T13:48:28-08:00 ldapsandbox10-1-qa-sjc saslauthd[15889]:
> do_auth         : auth failure: [user=chas@test.com] [service=ldap]
> [realm=test.com] [mech=kerberos5] [reason=saslauthd internal error]

You might get more details from saslauthd -d.

Do your kerberos logs provide anything useful?

> I'm guessing the problem here is that the realm should match my Kerberos
> realm, which is called "KRBTEST", not test.com -- is this something that
> needs to be fixed with an authz-regexp?

Where is test.com coming from? your userPassword entry?

--
Dan White